Unfortunately, not all web containers will support this. There was apparent disagreement on the interpretation of the specification in this area. In particular, WebLogic does not support this. I believe, however, that in version 8.1 it's possible to do this, although I believe you have to set some non-standard configuration flag. I don't know the details.
The alternative is to put all JSP pages into a security constraint on a role that no user is set to. > -----Original Message----- > From: Nathan Pitts [mailto:[EMAIL PROTECTED] > Sent: Thursday, June 05, 2003 8:02 AM > To: Struts Users Mailing List > Subject: Re: calling actions directly > > Brian, > > If you put all your jsp's inside a the WEB-INF directory, they will not > be accessible directly -- only through an action. I think this is part > of the jsp specification that nothing can be directly served out of > this special directory..Otherwise, a user could pull up configuration > files that reside there -- web.xml for example.....For example, I have > a directory structure containing jsp's under WEB-INF/jsp in my current > web application....Hope this helps! > --nathan > > > On Thursday, June 5, 2003, at 09:47 AM, Brian McSweeney wrote: > > > Ah yes, > > > >> Perhaps what you're thinking of is that JSP files should not be called > >> directly or bookmarked. They should be hidden from the user > >> completely, > > and > >> only accessible through an action. > > > > that was it - sorry - stupid of me. > > Could you tell me how to secure the jsps so that they are only a > > result of > > the action? > > cheers, > > Brian > > > > > > ----- Original Message ----- > > From: "Kruse, Matt" <[EMAIL PROTECTED]> > > To: "Struts Users Mailing List" <[EMAIL PROTECTED]> > > Sent: Thursday, June 05, 2003 3:12 PM > > Subject: RE: calling actions directly > > > > > >>> I read that one of the things about struts is the actions are > >>> only able to be called from the pages directly. Ie, you > >>> shouldn't be able to bookmark the actions themselves like: > >>> http://myhost/myaction.do > >> > >> Where did you hear this? That's totally not true - any action can be > > called > >> directly as long as it has a mapping. It's just a URL. Otherwise, how > > would > >> you enter the first action? :) > >> > >> Perhaps what you're thinking of is that JSP files should not be called > >> directly or bookmarked. They should be hidden from the user > >> completely, > > and > >> only accessible through an action. > >> > >> Matt Kruse > >> > >> > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > ============================= > Nathan Pitts > Programmer Analyst > Texas Animal Health Commission > ============================= > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
